Strong opinions, weakly held

Menu

SSL broadly compromised by the NSA

There have been many depressing if not altogether unexpected revelations since Glenn Greenwald broke the story of Edward Snowden’s NSA leaks. Reporters have been working overtime to dig into NSA programs for snooping on electronic conversations. Today’s New York Times story on the NSA compromising SSL is perhaps the biggest. SSL is the secure protocol browsers use to communicate with Web servers. It is the foundation of secure commerce on the Web.

Here’s the crux of the story:

Beginning in 2000, as encryption tools were gradually blanketing the Web, the N.S.A. invested billions of dollars in a clandestine campaign to preserve its ability to eavesdrop. Having lost a public battle in the 1990s to insert its own “back door” in all encryption, it set out to accomplish the same goal by stealth.

The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.

The N.S.A. hacked into target computers to snare messages before they were encrypted. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.

For more, see this article by Bruce Schneier. As he points out, the NSA has subverted these protocols by cheating the system, not through a cryptanalytic attack on SSL itself. We, as builders of the Internet, need to figure out what we can and can’t trust at this point. If anything, this shows that more than ever before, closed source software is fundamentally untrustworthy.